Bolting the digital door

Cyber risks are a growing threat to Asia’s growth and governments need to step up their efforts to encourage mitigation and make the risks more insurable.

Singapore is leading the way, but even this proactive government continues to face problems of its own. On January 28, the health ministry revealed that the identity of 14,200 HIV-positive individuals had been leaked, once again highlighting the vulnerability of the city’s health records after hackers stole 1.5 million records from SingHealth in an unrelated breach last year.

Many other governments in the region are less transparent and less capable than Singapore. It can safely be assumed that unreported breaches are frequently occurring elsewhere in the region, both within public and private organisations.

“Here in Asia, the likelihood of cyber attacks is unfortunately disproportionately higher than in other regions,” said Elean Chin, responsible for insurance development at the Monetary Authority of Singapore (MAS), in a speech last week. “Asia is one of the most digitally-connected economic blocs, with high internet connectivity and smartphone penetration levels. Yet cybersecurity investment and data breach protection laws remain inadequate.”

Indeed. Asia Pacific saw the highest number of compromised records and security events in the first half of last year, according to Gemalto’s breach index, accounting for close to 40% of global cybersecurity incidents and 30% of compromised records worldwide. In 2017, Asia reportedly suffered US$1.75 trillion in economic losses. And that is just based on the known breaches.

MAS’s Chin, speaking at the launch of a report by the city’s Cyber Risk Management (CyRiM) Project, compared cyber risk to natural catastrophe risk, citing a modelled estimate that a major cyber attack originating from Asia could cost US$19 billion in economic losses.

But you know when you’ve been hit by a typhoon. If Singapore’s HIV data had not been leaked, the ministry may never have known that the information had been stolen — or what it was being used for.

Some Singaporeans even worried that the data could have been accessed by life insurers, prompting the city’s industry body to issue a statement assuring policyholders that “life insurers will not seek out the leaked data for any purpose whatsoever” and that even if the data is sent to them they “will not use the data and will inform the relevant authorities immediately”.

Instead, insurers need to be part of the solution. “Insurance plays a critical role in pricing cyber risk through the premiums that firms pay, and through this pricing mechanism creates incentives for firms to mitigate cyber risk,” said Chin.

A report by the Ponemon Institute estimates that cyber insurance and incident response, which cyber insurance increasingly covers, brings down the cost of a data breach by about 12%.

But the CyRiM report highlights the slow take-up of cyber insurance and estimates the global protection gap at about 86%. “In Asia, this is even more pronounced, with only 6% of global cyber premiums coming from the region,” Chin said, though she added that MAS expects Asia’s cyber insurance market to grow from an estimated US$50 million in 2017 to US$1 billion in 2025 — which implies a growth rate of more than 50% a year.

Insurers will need to improve their efforts to make that happen. A survey by insurance consultancy McTavish revealed that 35% of respondents said cyber insurance was “unfit for purpose” and 22% “do not trust the insurer to pay out”.

Because of the challenges in writing cyber risks, policies tend to have high deductibles, low coverage limits and significant exclusions.

Singapore’s initiatives to address the problem include research on definitions, data, scenarios, risk assessment frameworks and policy aims. In relation to potential exposure to non-affirmative or silent cyber risks in traditional property and liability policies, the Singapore Reinsurers’ Association is leading an effort to address peak exposures and reduce some of the uncertainty surrounding cyber underwriting.

“Can we make this uninsurable risk insurable? It is possible. However, we need to make deep foundations for the development of an efficient cyber insurance marketplace,” concluded Chin.

Other governments around the region need to make similar efforts to elevate cybersecurity up their policy agendas. This will be no small commitment. Consultancy AT Kearney estimates that Asean countries need to spend between up to 0.61% of their GDP — or US$171 billion collectively — on cybersecurity in the period spanning 2017 to 2025.